Remove unused code
Old, now unused code removed entirely.
This commit is contained in:
Johannes Bauer
parent
1f56e19361
commit
6b5ed8f62c
170
client.c
170
client.c
@ -43,176 +43,6 @@
|
||||
#include "keydb.h"
|
||||
#include "uuid.h"
|
||||
|
||||
#if 0
|
||||
static const struct keydb_t *client_keydb;
|
||||
|
||||
static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) {
|
||||
log_msg(LLVL_DEBUG, "psk_client_callback: SSL %p, hint '%s'.", ssl, hint);
|
||||
if (max_psk_len < PSK_SIZE_BYTES) {
|
||||
log_msg(LLVL_ERROR, "Client error: max_psk_len too small.");
|
||||
return 0;
|
||||
}
|
||||
if (max_identity_len < strlen(CLIENT_PSK_IDENTITY) + 1) {
|
||||
log_msg(LLVL_ERROR, "Client error: max_identity_len too small.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
uint8_t parsed_uuid[16];
|
||||
if (!parse_uuid(parsed_uuid, hint)) {
|
||||
log_msg(LLVL_ERROR, "Client error: given hint '%s' is not a valid UUID.", hint);
|
||||
return 0;
|
||||
}
|
||||
|
||||
const struct keyentry_t *entry = keydb_find_entry_by_host_uuid(client_keydb, parsed_uuid);
|
||||
if (!entry) {
|
||||
log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.", hint);
|
||||
return 0;
|
||||
}
|
||||
|
||||
strncpy(identity, CLIENT_PSK_IDENTITY, max_identity_len);
|
||||
memcpy(psk, entry->psk, PSK_SIZE_BYTES);
|
||||
return PSK_SIZE_BYTES;
|
||||
}
|
||||
|
||||
static int tls_client_connect(const struct keyentry_t *keyentry, const char *host_port) {
|
||||
struct generic_tls_ctx_t gctx;
|
||||
create_generic_tls_context(&gctx, false);
|
||||
|
||||
SSL_CTX_set_psk_client_callback(gctx.ctx, psk_client_callback);
|
||||
|
||||
BIO *conn = BIO_new_ssl_connect(gctx.ctx);
|
||||
if (!conn) {
|
||||
log_openssl(LLVL_ERROR, "Cannot get SSL client connect BIO.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (BIO_set_conn_hostname(conn, host_port) != 1) {
|
||||
log_openssl(LLVL_ERROR, "Cannot set SSL client connect hostname/port.");
|
||||
return false;
|
||||
}
|
||||
|
||||
SSL *ssl = NULL;
|
||||
BIO_get_ssl(conn, &ssl);
|
||||
if (!ssl) {
|
||||
log_openssl(LLVL_ERROR, "Cannot get SSL client SSL context.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (BIO_do_connect(conn) != 1) {
|
||||
log_openssl(LLVL_ERROR, "Cannot perform SSL client connect.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (BIO_do_handshake(conn) != 1) {
|
||||
log_openssl(LLVL_ERROR, "Cannot perform SSL client handshake.");
|
||||
return false;
|
||||
}
|
||||
|
||||
log_msg(LLVL_DEBUG, "Client successfully connected to server.");
|
||||
for (int i = 0; i < MAX_DISKS_PER_HOST; i++) {
|
||||
if (keyentry->disk_keys[i].occupied) {
|
||||
log_msg(LLVL_DEBUG, "Client sending key #%d", i);
|
||||
|
||||
struct msg_t msg;
|
||||
memset(&msg, 0, sizeof(msg));
|
||||
memcpy(msg.disk_uuid, keyentry->disk_keys[i].disk_uuid, 16);
|
||||
msg.passphrase_length = keyentry->disk_keys[i].passphrase_length;
|
||||
memcpy(msg.passphrase, keyentry->disk_keys[i].passphrase, MAX_PASSPHRASE_LENGTH);
|
||||
msg_to_nbo(&msg);
|
||||
int txed = SSL_write(ssl, &msg, sizeof(msg));
|
||||
if (txed != sizeof(msg)) {
|
||||
log_msg(LLVL_ERROR, "Truncated message sent: tried to send %d bytes, but only %d bytes went through. Aborting connection.", sizeof(msg), txed);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
BIO_free_all(conn);
|
||||
free_generic_tls_context(&gctx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool parse_announcement(const struct options_t *options, const struct sockaddr_in *peer_addr, const struct announcement_t *announcement) {
|
||||
log_msg(LLVL_DEBUG, "Parsing possible announcement from %d.%d.%d.%d:%d", PRINTF_FORMAT_IP(peer_addr), ntohs(peer_addr->sin_port));
|
||||
const uint8_t expect_magic[16] = CLIENT_ANNOUNCE_MAGIC;
|
||||
if (memcmp(announcement->magic, expect_magic, 16)) {
|
||||
/* Magic number does not match, discard. */
|
||||
return false;
|
||||
}
|
||||
|
||||
const struct keyentry_t *keyentry = keydb_find_entry_by_host_uuid(client_keydb, announcement->host_uuid);
|
||||
|
||||
char ascii_host_uuid[40];
|
||||
sprintf_uuid(ascii_host_uuid, announcement->host_uuid);
|
||||
log_msg(LLVL_DEBUG, "Received valid announcement from %s host %s", (keyentry == NULL) ? "unknown" : "known", ascii_host_uuid);
|
||||
|
||||
if (keyentry == NULL) {
|
||||
/* The announcement is valid, but we don't know the client -- so we
|
||||
* can't do anything further */
|
||||
return false;
|
||||
}
|
||||
|
||||
/* We know the server. But maybe we've already tried to contact them and
|
||||
* therefore they're blacklisted for a certain period of time. Check this
|
||||
* now (we don't want to spam servers with maybe invalid passphrases). */
|
||||
uint32_t ip = peer_addr->sin_addr.s_addr;
|
||||
if (is_ip_blacklisted(ip)) {
|
||||
log_msg(LLVL_DEBUG, "%d.%d.%d.%d is currently blacklisted for %d seconds.", PRINTF_FORMAT_IP(peer_addr), BLACKLIST_ENTRY_TIMEOUT_SECS);
|
||||
return false;
|
||||
} else {
|
||||
/* Blacklist for next time */
|
||||
blacklist_ip(ip);
|
||||
}
|
||||
|
||||
char destination_address[32];
|
||||
snprintf(destination_address, sizeof(destination_address) - 1, "%d.%d.%d.%d:%d", PRINTF_FORMAT_IP(peer_addr), options->port);
|
||||
log_msg(LLVL_DEBUG, "Trying to connect to %s in order to transmit keys", destination_address);
|
||||
|
||||
tls_client_connect(keyentry, destination_address);
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool tls_client(const struct keydb_t *keydb, const struct options_t *options) {
|
||||
client_keydb = keydb;
|
||||
|
||||
int sd = socket(AF_INET, SOCK_DGRAM, 0);
|
||||
if (sd < 0) {
|
||||
log_libc(LLVL_ERROR, "Unable to create UDP client socket(2)");
|
||||
return false;
|
||||
}
|
||||
|
||||
{
|
||||
int value = 1;
|
||||
setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &value, sizeof(value));
|
||||
}
|
||||
|
||||
struct sockaddr_in local_addr;
|
||||
local_addr.sin_family = AF_INET;
|
||||
local_addr.sin_port = htons(options->port);
|
||||
local_addr.sin_addr.s_addr = htonl(INADDR_ANY);
|
||||
memset(local_addr.sin_zero, 0, sizeof(local_addr.sin_zero));
|
||||
|
||||
if (bind(sd, (struct sockaddr*)&local_addr, sizeof(local_addr))) {
|
||||
log_libc(LLVL_ERROR, "Unable to bind(2) UDP client socket to port %d", options->port);
|
||||
return false;
|
||||
}
|
||||
|
||||
int tries = 0;
|
||||
while ((options->unlock_cnt == 0) || (tries < options->unlock_cnt)) {
|
||||
uint8_t rxbuf[2048];
|
||||
struct sockaddr_in peer_addr;
|
||||
socklen_t addr_size = sizeof(peer_addr);
|
||||
int rxlen = recvfrom(sd, rxbuf, sizeof(rxbuf), 0, (struct sockaddr *)&peer_addr, &addr_size);
|
||||
if (rxlen == sizeof(struct announcement_t)) {
|
||||
if (parse_announcement(options, &peer_addr, (struct announcement_t*)rxbuf)) {
|
||||
tries++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
#endif
|
||||
|
||||
struct keyclient_t {
|
||||
const struct pgmopts_client_t *opts;
|
||||
struct keydb_t *keydb;
|
||||
|
||||
185
server.c
185
server.c
@ -48,6 +48,13 @@
|
||||
#include "keydb.h"
|
||||
#include "signals.h"
|
||||
|
||||
struct client_ctx_t {
|
||||
struct generic_tls_ctx_t *gctx;
|
||||
const struct keydb_t *keydb;
|
||||
const struct host_entry_t *host;
|
||||
int fd;
|
||||
};
|
||||
|
||||
static int create_tcp_server_socket(int port) {
|
||||
int s;
|
||||
struct sockaddr_in addr;
|
||||
@ -80,184 +87,6 @@ static int create_tcp_server_socket(int port) {
|
||||
return s;
|
||||
}
|
||||
|
||||
#if 0
|
||||
static const struct keyentry_t *server_key;
|
||||
|
||||
|
||||
|
||||
static bool unlock_disk(const struct diskentry_t *disk, const uint8_t *passphrase, int passphrase_length) {
|
||||
char ascii_uuid[40];
|
||||
sprintf_uuid(ascii_uuid, disk->disk_uuid);
|
||||
log_msg(LLVL_INFO, "Trying to unlock disk %s with UUID %s", disk->devmapper_name, ascii_uuid);
|
||||
#ifdef DEBUG
|
||||
fprintf(stderr, "Using %d bytes key for unlocking: ", passphrase_length);
|
||||
dump_hex(stderr, passphrase, passphrase_length);
|
||||
fprintf(stderr, "\n");
|
||||
#endif
|
||||
if (is_luks_device_opened(disk->devmapper_name)) {
|
||||
log_msg(LLVL_INFO, "Disk %s already unlocked, nothing to do.", disk->devmapper_name, ascii_uuid);
|
||||
return true;
|
||||
}
|
||||
return open_luks_device_pw(disk->disk_uuid, disk->devmapper_name, passphrase, passphrase_length);
|
||||
}
|
||||
|
||||
static bool all_disks_unlocked(const struct keyentry_t *keyentry) {
|
||||
for (int i = 0; i < MAX_DISKS_PER_HOST; i++) {
|
||||
if (keyentry->disk_keys[i].occupied && !is_luks_device_opened(keyentry->disk_keys[i].devmapper_name)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool tls_server(const struct keyentry_t *key, const struct options_t *options) {
|
||||
if (all_disks_unlocked(key)) {
|
||||
log_msg(LLVL_INFO, "Starting of server not necessary, all disks already unlocked.");
|
||||
return true;
|
||||
}
|
||||
|
||||
struct generic_tls_ctx_t gctx;
|
||||
create_generic_tls_context(&gctx, true);
|
||||
|
||||
server_key = key;
|
||||
{
|
||||
char ascii_host_uuid[40];
|
||||
sprintf_uuid(ascii_host_uuid, key->host_uuid);
|
||||
SSL_CTX_use_psk_identity_hint(gctx.ctx, ascii_host_uuid);
|
||||
}
|
||||
SSL_CTX_set_psk_server_callback(gctx.ctx, psk_server_callback);
|
||||
|
||||
int tcp_sock = create_tcp_socket(options->port);
|
||||
if (tcp_sock == -1) {
|
||||
log_msg(LLVL_ERROR, "Cannot start server without server socket.");
|
||||
free_generic_tls_context(&gctx);
|
||||
return false;
|
||||
}
|
||||
|
||||
int udp_sock = create_udp_socket();
|
||||
if (tcp_sock == -1) {
|
||||
log_msg(LLVL_ERROR, "Cannot broadcast without announcement UDP socket.");
|
||||
close(tcp_sock);
|
||||
free_generic_tls_context(&gctx);
|
||||
return false;
|
||||
}
|
||||
|
||||
log_msg(LLVL_DEBUG, "Created listening socket on port %d", options->port);
|
||||
int tries = 0;
|
||||
int failed_broadcast_cnt = 0;
|
||||
while ((options->unlock_cnt == 0) || (tries < options->unlock_cnt)) {
|
||||
struct sockaddr_in addr;
|
||||
unsigned int len = sizeof(addr);
|
||||
|
||||
log_msg(LLVL_DEBUG, "Waiting for incoming connection...");
|
||||
if (!announce_waiting_message(udp_sock, options->port, key)) {
|
||||
failed_broadcast_cnt++;
|
||||
if ((options->max_broadcast_errs != 0) && (failed_broadcast_cnt >= options->max_broadcast_errs)) {
|
||||
log_msg(LLVL_ERROR, "Too many broadcast errors, aborting. Network unavailable?");
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!socket_wait_acceptable(tcp_sock, WAITING_MESSAGE_BROADCAST_INTERVAL_MILLISECONDS)) {
|
||||
/* No connection pending, timeout. */
|
||||
continue;
|
||||
}
|
||||
|
||||
log_msg(LLVL_DEBUG, "Trying to accept connection...");
|
||||
int client = accept(tcp_sock, (struct sockaddr*)&addr, &len);
|
||||
if (client < 0) {
|
||||
log_libc(LLVL_ERROR, "Unable to accept(2)");
|
||||
close(udp_sock);
|
||||
close(tcp_sock);
|
||||
free_generic_tls_context(&gctx);
|
||||
return false;
|
||||
}
|
||||
|
||||
SSL *ssl = SSL_new(gctx.ctx);
|
||||
SSL_set_fd(ssl, client);
|
||||
|
||||
if (SSL_accept(ssl) <= 0) {
|
||||
ERR_print_errors_fp(stderr);
|
||||
} else {
|
||||
tries++;
|
||||
log_msg(LLVL_DEBUG, "Client connected, waiting for data...");
|
||||
while (true) {
|
||||
struct msg_t msg;
|
||||
int rxlen = SSL_read(ssl, &msg, sizeof(msg));
|
||||
if (rxlen == 0) {
|
||||
/* Client severed the connection */
|
||||
break;
|
||||
}
|
||||
if (rxlen != sizeof(msg)) {
|
||||
log_msg(LLVL_ERROR, "Truncated message (%d bytes) received, terminating connection. Expected %d bytes.", rxlen, sizeof(msg));
|
||||
break;
|
||||
}
|
||||
msg_to_hbo(&msg);
|
||||
|
||||
if ((msg.passphrase_length == 0) || (msg.passphrase_length > MAX_PASSPHRASE_LENGTH)) {
|
||||
log_msg(LLVL_FATAL, "Client sent malformed message indicating illegal passphrase length of %d bytes. Aborting connection.", msg.passphrase_length);
|
||||
break;
|
||||
}
|
||||
|
||||
/* Now check if this is one of they keys we're actually looking for */
|
||||
bool found = false;
|
||||
for (int i = 0; i < MAX_DISKS_PER_HOST; i++) {
|
||||
if (!memcmp(key->disk_keys[i].disk_uuid, msg.disk_uuid, 16)) {
|
||||
bool success = unlock_disk(&key->disk_keys[i], msg.passphrase, msg.passphrase_length);
|
||||
log_msg(LLVL_DEBUG, "Unlocking of disk was %s", success ? "successful" : "unsuccessful");
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
char ascii_uuid[40];
|
||||
sprintf_uuid(ascii_uuid, msg.disk_uuid);
|
||||
log_msg(LLVL_INFO, "Client sent passphrase for UUID %s; we were not expecting it. Ignored.", ascii_uuid);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
SSL_free(ssl);
|
||||
close(client);
|
||||
|
||||
/* Connection closed */
|
||||
if (all_disks_unlocked(key)) {
|
||||
log_msg(LLVL_INFO, "All disks successfully unlocked.");
|
||||
break;
|
||||
} else {
|
||||
log_msg(LLVL_DEBUG, "At least one disk remains locked after communication.");
|
||||
}
|
||||
}
|
||||
|
||||
close(udp_sock);
|
||||
close(tcp_sock);
|
||||
free_generic_tls_context(&gctx);
|
||||
return true;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if 0
|
||||
static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) {
|
||||
if (max_psk_len < PSK_SIZE_BYTES) {
|
||||
log_msg(LLVL_FATAL, "Server error: max_psk_len too small.");
|
||||
return 0;
|
||||
}
|
||||
if (strcmp(identity, CLIENT_PSK_IDENTITY)) {
|
||||
log_msg(LLVL_FATAL, "Server error: client identity '%s' unexpected (expected '%s').", identity, CLIENT_PSK_IDENTITY);
|
||||
return 0;
|
||||
}
|
||||
// memcpy(psk, server_key->psk, PSK_SIZE_BYTES);
|
||||
return PSK_SIZE_BYTES;
|
||||
}
|
||||
#endif
|
||||
|
||||
struct client_ctx_t {
|
||||
struct generic_tls_ctx_t *gctx;
|
||||
const struct keydb_t *keydb;
|
||||
const struct host_entry_t *host;
|
||||
int fd;
|
||||
};
|
||||
|
||||
|
||||
static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t identity_len, SSL_SESSION **sessptr) {
|
||||
struct client_ctx_t *ctx = (struct client_ctx_t*)SSL_get_app_data(ssl);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user